smtp.rules

This is the snapshot of Snot Latest Rules

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN"; nocase; isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/smi"; metadata:service smtp; reference:bugtraq,1297; reference:bugtraq,7515; reference:cve,2000-0490; reference:nessus,10438; classtype:attempted-admin; sid:1550; rev:16;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment overflow attempt"; flow:to_server,established; content:"From|3A|"; nocase; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"|28|"; distance:1; content:"|29|"; distance:1; metadata:service smtp; reference:bugtraq,6991; reference:cve,2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Transfer-Encoding overflow attempt"; flow:to_server,established; content:"Content-Transfer-Encoding|3A|"; nocase; isdataat:100,relative; content:!"|0A|"; within:100; metadata:service smtp; reference:cve,2003-0161; reference:url,www.cert.org/advisories/CA-2003-12.html; classtype:attempted-admin; sid:2183; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; nocase; pcre:"/^XEXCH50\s+-\d/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,8838; reference:cve,2003-0714; reference:nessus,11889; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2253; rev:10;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; isdataat:255,relative; pcre:"/^EXPN[^\n]{255,}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2259; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP VRFY overflow attempt"; flow:to_server,established; content:"VRFY"; nocase; isdataat:255,relative; pcre:"/^VRFY[^\n]{255,}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2260; rev:9;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,6991; reference:cve,2002-1337; reference:nessus,11316; classtype:attempted-admin; sid:2261; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499; classtype:misc-attack; sid:2262; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2263; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499; classtype:misc-attack; sid:2264; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2265; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499; classtype:misc-attack; sid:2266; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2267; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499; classtype:attempted-admin; sid:2268; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too many addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2269; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too long addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s*[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499; classtype:attempted-admin; sid:2270; rev:9;)
alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; metadata:service smtp; classtype:suspicious-login; sid:2275; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-type buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; pcre:"/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2487; rev:10;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-disposition buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; content:"Content-Disposition|3A|"; nocase; pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2488; rev:10;)


alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2504; rev:12;)




alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; metadata:policy security-ips drop, service smtp; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2541; rev:9;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,10116; reference:cve,2003-0719; reference:nessus,12205; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2528; rev:17;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:protocol-command-decode; sid:2542; rev:9;)
alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:protocol-command-decode; sid:2543; rev:11;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; metadata:policy security-ips drop, service smtp; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2544; rev:8;)


alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM overflow attempt"; flow:to_server,established; content:"MAIL FROM"; nocase; isdataat:260; content:!"|0A|"; within:256; metadata:service smtp; reference:bugtraq,10290; reference:bugtraq,7506; reference:cve,2004-0399; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2590; rev:5;)
alert tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any (msg:"SMTP SSLv2 Server_Hello request"; flow:from_server,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:protocol-command-decode; sid:3497; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv2 Client_Hello with pad request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:protocol-command-decode; sid:3494; rev:4;)
alert tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any (msg:"SMTP TLSv1 Server_Hello request"; flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:protocol-command-decode; sid:3498; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP TLSv1 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:protocol-command-decode; sid:3495; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Encoding overflow attempt"; flow:to_server,established; content:"Content-Encoding|3A|"; nocase; pcre:"/Content-Encoding\x3A[^\r\n]{300,}/i"; metadata:service smtp; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-admin; sid:3462; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:protocol-command-decode; sid:3496; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv2 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.client_hello.request; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:protocol-command-decode; sid:3493; rev:5;)